<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=134132097137679&amp;ev=PageView&amp;noscript=1">

Pixalate discovers sophisticated sites that hijack sessions without malware

Sep 6, 2017 3:38:38 PM

Pixalate has uncovered a family of web sites committing session hijacking — a form of Sophisticated Invalid Traffic (SIVT), as defined by the MRC. The sites in question are capable of hijacking a user’s browser without any malware installed, continually refreshing the browser to generate more ad revenue. (Update: The sites in question appear to have been taken down. But this post still contains video and data to detail how this type of attack works.)

The “zombie sites” work on both desktop and mobile devices. On mobile devices, the site attempts to pull users away to the App Store.

Monkey Frog Media: The family of sites behind the hijacked sessions

Monkey Frog Media is the parent site and home to a number of sites that all commit the same type of ad fraud. It claims to be a site dedicated to three topics — food, parenting, and technology — but it appears to be a front to commit ad fraud. The sites under Monkey Frog Media’s umbrella include:

  • Trendy Recipe
  • Tech’s Life
  • Watch the Screen
  • Right Parent
  • Mom Taxi
  • Recipe Dept.
  • Arcade Duck

Session hijacking can lead to 600+ ads served to one browser window within 1 hour

mom-taxi-double-chart.png

The cumulative effect of a hijacked web browser can be devastating for advertisers. In our analysis of MomTaxi.com, using the Chrome browser, after just 10 minutes, nearly 100 ad impressions will be served to a single “user.” All of this data shows just one user session within a single browser.

  • 10 Minutes: 91 impressions served
  • 20 Minutes: 215 impressions served
  • 30 Minutes: 324 impressions served
  • 40 Minutes: 445 impressions served
  • 50 Minutes: 539 impressions served
  • 1 Hour: 655 impressions served

More than an auto-refresh: This threat also self-navigates — without malware

This attack is unique because it does not just auto-refresh the page to generate more impressions, like many similar session hijackings. This threat also self-navigates to replicate legitimate human activity.

This is a sophisticated attack that linearly spaces automatic redirects to mimic real user behavior. The correlation between redirects and elapsed time has a nearly perfect R-squared, of .999. The fraud attack leads to a tidy 100 internal redirects per hour — or about 5 redirects every 3 minutes.

  • 10 Minutes: 15 automatic internal redirects
  • 20 Minutes: 32 automatic internal redirects
  • 30 Minutes: 49 automatic internal redirects
  • 40 Minutes: 68 automatic internal redirects
  • 50 Minutes: 84 automatic internal redirects
  • 1 Hour: 100 automatic internal redirects

Device- and browser-aware ad fraud attack

The Monkey Fraud Media ad fraud ring is also sophisticated in that its technology is capable of identifying which browser or device the "user" is on. The attack uses this data to inform its redirects.

For example, the websites make calls to the Apple store. If you were on an iTunes-compatible device, the site will automatically navigate you to the iTunes store through a series of malicious redirects (that likely give the fraudster referral credit).

Depending on which browser or device you are using, the attack can attempt to drive you off of the site to another site, again through a series of malicious redirects.

Fraudsters could steal millions per year using this site

These sites also auto navigate and refresh within different tabs and browsers, even if you don’t have the tab or browser open. This allows the fraudster to exponentially multiply the attack and the amount of money stolen.

According to our data, the estimated price paid for ads on Mom Taxi is $0.75 CPM. Based on all of this data, if the fraudster were able to keep 2,000 browsers/tabs open on Mom Taxi all day (via a farm, for example), then they would steal nearly $25,000 per day from advertisers.

  • 1 browser/tab left open for 24 hours: $11.79 stolen
  • 100 browsers/tabs left open for 24 hours: $1,179 stolen
  • 500 browsers/tabs left open for 24 hours: $5,895 stolen
  • 2000 browsers/tabs left open for 24 hours: $23,580 stolen
  • 5000 browsers/tabs left open for 24 hours: $58,950 stolen

To be clear: These figures represent hypothetical scenarios that depict how this site — or similar sites/attacks — could impact marketers’ pocketbooks. Even if we take one of the more modest hypotheticals (500 browsers/tabs left open for 24 hours), a sustained attack would net the fraudsters over $2 million per year.

Monkey Frog Media: A growing threat?

monkey-frog-media-alexa-rank.png

You may not have ever heard of Monkey Frog Media or its subsidiary sites, but the site has catapulted up the Alexa rankings in recent months.

As of this writing, monkeyfrogmedia.com ranks #2,330 in Canada and #7,794 globally. In September of 2016, it wasn’t even in the top 40,000.

Momtaxi Pixalate MRT.pngThe Pixalate Media Rating Terminal (MRT) shows that MomTaxi.com is a high-risk site for both desktop and mobile ad impressions.

Interestingly, while Monkey Frog Media has seen a meteoric rise in its Alexa rankings, none of its subsidiary sites have dramatically improved, according to their individual rankings. By looking at the SimilarWeb information, we can see that 100% of this site's traffic goes to "click.monkeyfrogmedia.com," and each of the individual properties has "click.monkeyfrogmedia.com" as a top referral traffic source. This referral loop boosts Monkey Frog Media’s rankings, making it appear legitimate.

Looking at the SimilarWeb information once again, one can see that the top sources of inbound referral traffic are porn or illegal streaming sites for each individual property.

Want more data-driven insights? Sign up for our blog! 

Search Blog

Follow Pixalate

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.